So as we know we can use WSO2 Application Server or Apache Tomcat or any other web container to host our web apps. So if there is a requirement to provide authorization to those web apps? That means some one want to allow access to there web apps on a fine grained manner. This has been done in the WSO2 platform. That was a project of mine. So using WSO2 Identity server as the XACML Policy Decision Point (PDP) we can provide fine grained authorization to webapps. This PDP can be access via a web service called Entitlement Service.

So what will the Policy Enforcement Point(PEP) for the webapp authorization ? After having some discussions we thought that a Servlet Filter will be the ideal solution. Any webapp developer can define a servlet filter which they want to use. Also we can use servlet filter in any kind of webapp container.

On that decision we have created a servlet filter which user can use to provide authorization to their web apps. We gave the name Entitlement Servlet Filter to that. It uses a Proxy to communicate with WSO2 Identity Server. The Entitlement PEP Proxy is responsible for following tasks,

There is a service in the WSO2 IS called Entitlement Service, that service is used to evaluate XCAML requests.

That is a admin service which can be used by the Admin Role.

To use that service we have to log in to the IS using AuthenticationAdmin Service.

So PEP Proxy log in to the IS as admin, so we can use it's Entitlement Service to evaluate requests coming.

We provide following parameters to PEP Proxy to evaluate the request against XACML policies in the WSO2 IS, UserName, ResourceName, Action and Environment. So it queries IS using the provided parameters and gives us the authorization decision.

The following digram shows how the the servlet filter gets the authorization decision,

The next problem is how we should obtain the parameters, UserName, ResourceName, Action and Environment. Exept the user name others we have. Because they are all related tot the web app. How we can get the user name? For that we used J2EE authentication mechanisms,

Basic Authentication

Client Cert Authentication

Digest Authentication

Form Authentication

After the authentication we can obtain the username in the the servlet filter. So all the parameters are found now.

As shown in the digram, when a request comes to a particular weapp which has the engaged Entitlement Servlet Filter it obtains the parameters UserName, ResourceName, Action and Environment. Then it initialize the PEP Proxy to communicate with WSO2 IS. After that it send the parameters and get the Entitlement decision. On the provided decision it stop or pass the request which has came to the web app.

The next critical thing is how the user can engage the Entitlement Servlet Filter. For that we use the web.xml. The following shows a example web.xml which configures the Entitlement Servlet Filter.

What is XACML Fine Grained Authorization ?

When we talk about a resource ( Here resource is the Webapp hosted in either WSO2 Application Server, Apache Tomcat etc.) we have to talk about authorization of the users who use those resources. That means some users are authorized to uses the resource and some are not. So what is mean by Fine Grained Authorization ? Traditionally authorization of the user for resource is decided by the users,resource and the action which user does on the resource. But if we can provided authorization based on user, resource, action user does on resources, environment, time, user's role etc. that is fine grained authorization. We use more details of the scenario to decide the authorization of the user. For a example if there is requirement like this, " This document can be edited by only AndunSLG, who is a Teacher and between 8am to 10am at the school office premises". The given requirement is a fine grained authorization requirement.

To evaluate such requirement against users request, we have to document those fine grained authorization requirements. Those are called Polices. XACML is used to document these kind of polices. We can evaluate user's requirements against these XACML polices using a XACML engine.

We can use WSO2 Identity Server for this requirement. It have a XACML Policy Engine where users can evaluate there requests. Also it provides so many functionalities related to XACML Authorization At the end I have given lot of references where you can learn about XACML.

Sunday, July 1, 2012

Most of you have experience that we can use Apache Maven to automate build processes. Also we can use Apache Ant forthe same process. But when we use Maven we can resolve our dependencies of the project easily. The only thing required is adding your dependencies to the pom.xml as given bellow.

But when use Apache Ant, we have to do some specifics tasks to resolve dependencies in a intelligent manner. Why I say in a intelligent manner
means if we know all the dependencies exactly, we can use following command to download all the jar files needed to our project.

Here in this project we need, Junit and Spring Framework for compile and run the project. To get those jars to our project we use Ivy. First of all we have to get Ivy downloaded.
After downloading Ivy we can retrieve our dependencies. Those dependencies have to be specified in file called ivy.xml which exists in the working directory. For this project this is the ivy.xml,

In that org, name, version are very important. Because Ivy use those details to download the jars from the public repo. Also in default Ivy download all the transitive dependencies of the jars. We can stop that by saying transitive="false". Ivy will download all the jars to a called lib in the working directory. After that we can use that in our class path.
If you need to find org, name, version of your jars, pleas use this link. http://mvnrepository.com/ In that details are given in this way,

Here groupId=org, artifactId=name. So you can create your ivy.xml using those details. Hope this helps you.Contact me for further clarifications. The follwoing shell output show how this build.xml works,